Jump to content

Recommended Posts

I like to understand the event:
Category: Trojans
IP Address: 77.73.68.175 port 8 and 77.73.68.17 port 8

ISP     Fishnet Communications LLC
Usage Type    Data Center/Web Hosting/Transit
Domain Name    rnet.ru
Country        Russia
City        Shushary, Sankt-Peterburg

I followed the steps described in: https://forums.malwarebytes.com/topic/248304-trojans/?_fromLogin=1
1. Scan with Malwarebytes 3
2. Scan with AdwCleaner
3. Scan with Farbar Recovery Scan Tool


Is this an event describing my PC trying to setup a connection to 77.73.68.175?
If so, what application is doing this?

 

AdwCleaner quarantine.jpg

Malware Bytes notification trojan.jpg

Malware Bytes notification trojan2.jpg

Malware Bytes notification trojan3.jpg

Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt FRST.txt Malware Bytes event report trojan outbound blocked websites.txt Malware Bytes summary.txt

Link to post
Share on other sites

Hello Polleke and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.

Let me see those logs in your reply, also let me know if the trojan blocks have ceased...

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

Zemana log shows report only on those entries, is that what you refer to..? or for DNS are referring to IP 192.168.62.70.

Can you open this folder: C:\FRST. Inside that folder is sub folder "Quarantine" can you copy quarantine folder to your desktop, zip up and attach to your reply please..

Have the trojan blocks ceased..?

Link to post
Share on other sites

Firefox browser hijack seems to be responsible for outbound calls, that is reason for quarantine folder request to have a look at javascript files for FF entries..

I`m aware of non routable address space and the reasons for its use over internal networks...

Have the tojan blocks ceased...?

Link to post
Share on other sites

The Firefox "Three Ships" applet/JS is installed to access the e-Learning environment at my university.

But this 77.73.68.x range is in Russia, so something (not yet known / undetectable) is setting up a connection (using port 😎 which raises an MalwareBytes event.

Link to post
Share on other sites

Are the Malwarebytes events still happening.. ? If so a clean install of Firefox maybe needed. Are you ok with that

If you are setting up google dns use 8.8.8.8 and 8.8.4.4

The firewall rules ports you mention are local  allowable ports with no attributable applications..

Link to post
Share on other sites

I have not seen any events concerning IP 77.73.68.x since MalwareBytes blocked them. So I de-installed and installed again. I will monitor it the coming days. Strange enough I have not cleaned/removed anything since none of the anti malware tools could find a threat......

Link to post
Share on other sites

Has the event issue ceased after the IP 192.168.62.70 was removed, or prior?

Would a clean install of Firefox be a problem for you, instructions follow:

Make a "Clean" install Firefox:

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:

https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

To manage Passwords :-

https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import

Next,

Remove all synced data from Firefox to stop possible re-infection or exploitation.

https://support.mozilla.org/en-US/questions/1037353

Next,

Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later...

Next,

Lets totally remove Firefox and start over.

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....

Next,

To remove all remaining data and profile information...

Press "Windows key + R" to open the Run box
In the Run box, type in or copy and paste %APPDATA%
Click OK. A Windows Explorer window will appear.
In this window, choose/open in succession Mozilla > Firefox > Profiles.
Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete.

Re-boot your system when complete!

Next,

Use the Mozilla Firefox installer to reinstall your Browser....

When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc....

uBlock-Origin can be installed from here: https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin/ <<--- Recommended.

 

Edited by kevinf80
Link to post
Share on other sites

I have not had any notification since the 6th July, although nothing was found nor removed by various tools (MB, FRST, Zemana, etc.).
Could you explain to me why you think that the notification is related to a browser hijacker?
Could it also be caused by malicious software?
Is the destination IP 77.73.68.x not known in malware database to determine where and what to look for?
- https://twitter.com/viriback/status/1060561333240938496
- https://twitter.com/i/web/status/1101475880927481856
In the notification, it is stated that outbound port 8 is used (I guess this is TCP port, which is an undefined/unused port).

 

Link to post
Share on other sites

Part of the FRST fix was to remove flagged entries related to Mozilla Firefox Browser. I asked if the blocks had ceased, if not I was suggesting a clean install of Firefox to make sure all possibilities were covered.

Malwarebytes was just doing its job blocking the outbound calls to a suspicious IP address from Firefox, totally deleting the browser would not be pratical..

As is normal in a browser hijack the out bound IP changes, as does the used port. port 137 was used aswell as port 8. Two different IP`s were flagged. If the blocks had continued i`m sure we would have seen IP and port numbers also changing...

You mention no more events since the 6th, a clean install of Firefox is therefore no longer needed. I assume we are ok to clean up now...

Uninstall Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Right click on FRST here: C:\work\hacking\ANTIVIRUS ADWARE\Farbar Recovery Scan Tool\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.